The author of a banking Trojan called Nuclear Bot — a teenager living in France — recently released the source code for his creation just months after
The author of a banking Trojan called Nuclear Bot — a teenager living in France — recently released the source code for his creation just months after the malware began showing up for sale in cybercrime forums. Now the young man’s father is trying to convince him not to act on a job offer in the United States, fearing it may be a trap set by law enforcement agents.
In December 2016, Arbor Networks released a writeup on Nuclear Bot (a.k.a. NukeBot) after researchers discovered the malware package for sale in the usual underground cybercrime forums for the price of USD $2,500.
The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites.
Malware analysts at IBM’s X-Force research division also examined the code, primarily because the individual selling it claimed that Nuclear Bot could bypass Trusteer Rapport, an IBM security product that many banks offer customers to help blunt the effectiveness of banking trojans.
“These claims are unfounded and incorrect,” IBM’s researchers wrote. “Rapport detection and protection against the NukeBot malware are effective on all protection layers.”
But the malware’s original author — 18-year-old Augustin Inzirillo — begs to differ, saying he released the source code for the bot late last month in part because he wanted others be able to test his claims.
In an interview with KrebsOnSecurity, Inzirillo admits he wrote the Nuclear Bot trojan as a proof-of-concept to demonstrate a method he developed that he says bypasses Rapport. But he denies ever selling or marketing the malware, and maintains that this was done without his permission by an acquaintance with whom he shared the code privately.
“I’ve been interested in malware since I [was] a child, and I wanted to have a challenge,” Inzirillo said. “I was excited about this, and having nobody to share this with, I distributed the code to ‘friends’ who tried to profit off my work.”
After the source code for Nuclear Bot was released on Github, IBM followed up with a more in-depth examination of it, which argued that the author of the code appeared to release it in a failed bid to shore up his fragile ego.
According to IBM, a hacker calling himself “Gosya” tried to sell the malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be sold.
“He did not have the malware tested and certified by forum admins, nor did he provide any test versions to members,” IBM researchers Limor Kessem and Ilya Kolmanovich wrote. “At the same time, he was attacked by existing competition, namely the FlokiBot vendor, who wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s capabilities were indeed viable.”
The IBM authors continued:
“In posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among other forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.”
“For his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the malware’s name to Micro Banking Trojan in one last attempt to buy it a new life.”
Inzirillo said the main reason he released his code was to prevent others from profiting off his creation. But now he says he regrets that decision as well.
“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.
Inzirillo released the code on Github with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.
KrebsOnSecurity also reached out to Augustin’s dad, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.
“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”
Daniel Inzirillo said he’s worried because his son has expressed a strong interest in traveling to the United States after receiving a job offer from a supposed recruiter at a technology firm which said it was impressed by Augustin’s coding skills.
“I am very worried for him, because some technology company told him they wanted to fly him to the U.S. for a job interview as a result of him posting that online,” Daniel Inzirillo said. “There is a strong possibility that in one or two weeks he’s going to be flying to California, and I am concerned that maybe some guy in some law enforcement agency has his sights on him.”
Augustin’s dad said he had hoped his son might choose a different profession than his own.
“I didn’t want him to do software development, I always wanted him to do something else,” Daniel said. “He was introduced to programming by a math teacher at school. As soon as he learned about this it became a passion for him. But I was so pissed off about this. Even though I have been doing software all my life, I didn’t have a good opinion about this profession. I got a degree in software development as a kind of ‘Plan B,’ but I always felt there was something missing there, that it wasn’t intellectually satisfying.”
Nevertheless, Daniel said he is proud of his son’s intellectual abilities, noting that Augustin is completely self-taught in computer programming.
“I haven’t taught him anything, although sometimes he comes and he asks me some questions,” Daniel said. “He’s a self-made made man. In terms of software security and hacking, nearly everything he knows he learned by himself.”
Daniel said that after he and his wife divorced in 2012, his son went from being the first or second best student in his class to dropping out of school. After that, computers became an obsession for Augustin, he said.
Daniel said his son is extremely opinionated but not very emotionally intelligent, and he believes Augustin has strong misgivings about his chosen path. By way of example, he related a story about an incident in which Augustin was recently arrested after an altercation at a local establishment.
“When he got arrested, for no reason, he blurted out everything he was doing on his computer,” Daniel recalled. “The policemen couldn’t believe he was telling them that for no reason. I realized at that moment that he just wanted to get out. He didn’t want to continue doing what he was doing.”
Daniel said he’s deeply concerned for his kid’s future, but also recognizes that his son won’t listen to his counsel.
“He respects me, he admires me, and he knows in terms of software development I’m very good, and he wants to become like me but on the other hand he doesn’t want to listen to me,” Daniel said. “If my vision of things is written about, that might help him. But I’m also worried now that he might feel I have hijacked his notoriety. This is his story, his way of surpassing me, and he might hate me for being here.”
Augustin said he wasn’t interested in discussing his father or his family life, but he did confirm (without elaborating) that he recently was offered a job in the United States. He remains somewhat ambivalent about the opportunity, but indicated he is leaning toward accepting it.
“Well, I don’t think it’s fair that I would feel bad about getting a job because of this code, I just feel bad about having released the code,” he said. “If people want to offer me something interesting as a result, I don’t think it makes sense me saying no.”
You can skip to the end and leave a comment. Pinging is currently not allowed.